skip to content
Back to GitHub.com
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
May 14, 2024

GHSL-2024-055: GitHub Actions expression injection in DuckDB

Jorge Rosillo

Coordinated Disclosure Timeline

Summary

DuckDB is vulnerable to Actions expression injection allowing attackers to take over the repository and steal secrets.

Project

DuckDB

Tested Version

v0.10.1

Details

Actions expression injection in CheckIssueForCodeFormatting.yml (GHSL-2024-055)

The CheckIssueForCodeFormatting.yml workflow is triggered on issues (i.e., when an Issue is created). The workflow starts with full write-permissions GitHub repository token since the default workflow permissions on Organization/Repository level are set to read-write.

Taking the above into account, this workflow injects data controlled by said Issue (${{ github.event.issue.body }} – the body of the Issue) into a Run step’s script, allowing an attacker to take over the GitHub Runner to run custom commands and alter the repository.

- name: Check issue for code formatting
  run: |
    cat << 'EOF' >> issue-text.md
    ${{ github.event.issue.body }}"
    EOF
    if ! cat issue-text.md | python3 scripts/check-issue-for-code-formatting.py; then
        gh issue comment ${{ github.event.issue.number }} --body-file .github/workflows/code-formatting-warning.md
    fi

Impact

This issue may lead to stealing workflow secrets and modification of the repository.

Proof of Concept

  1. Open an Issue with the following body:
    EOF
    whoami
    cat << 'EOF' >> issue-text.md
    foo
    
  2. Check the workflow runs for the new Actions run that will execute the command whoami.

Resources

Credit

This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-055 in any communication regarding this issue.